The Australian government is working to modernise and simplify outdated laws governing how Australian agencies conduct electronic surveillance. However, this reform effort is not examining surveillance by companies—so called surveillance capitalism. This is a problem because, despite concerns about all-seeing Orwellian agencies, most electronic surveillance is undertaken by corporations harvesting data from people’s digital interactions.

Every day we hand over personal information to internet service providers, telecommunications companies, social media outlets and other companies in exchange for free, cheap or convenient service. A digital footprint follows us everywhere and the generated data is the ‘new oil’ for business.

Data collectors, including Alphabet, Amazon, Meta and Apple, have built electronic profiles of consumers to drive advertising and personalisation of services. Storage is cheap, falling from around US$30,000 per gigabyte in 1989 to less than US$0.025 in 2022, and takes up so little physical space (a 1-terabyte microSD card is smaller than a postage stamp) that there are few barriers to companies amassing stockpiles of personal information for data mining and digital experimentation.

The profiling of digital consumers enables targeted advertising to occur in the milliseconds between clicking on a web link and the page loading. The better the profile, the better the results and the higher the advertising revenue.

Consumers seem willing to accept, or at least remain blissfully ignorant of, the surveillance being undertaken, inviting ever more ‘data points’ into their lives, particularly through the use of apps on mobile phones and even paying for the privilege of allowing a constantly listening Alexa or Google device to be present in their homes. The internet has delivered undoubted benefits—reducing the costs of services, connecting global communities, and revolutionising access to information unseen since the invention of the printing press. However, as is the case with all innovation, this technology is a double-edged sword.

The amassing of personal data and profiling of individuals raises ethical, privacy and national security concerns. Profiling occurs through statistical inference applying probabilities, not certainties, which may result in advertising outcomes ranging from the mildly annoying, such as recommending baldness treatments to those with a full head of hair, to the outright dangerous, such as pushing gambling on those with a gambling addiction.

However, the targeting of advertising doesn’t stop at the passive end of responding to existing preferences; marketing professionals also build needs and wants and push consumers towards products that fill these newly created needs. Profiling helps companies find consumers who can be nudged towards desires they didn’t know they had. Worse, profiling can nudge people towards groups and ideologies they didn’t know existed. A recent paper from the Lowy Institute highlights some of the emerging national security threats of mass personal-data aggregation.

The pace of technological change has outstripped the ability of regulators to adequately address each concern that corporate electronic surveillance and use of data throws up. Attempting to close down each potentially objectionable-use case would be a giant game of interjurisdictional whack-a-mole. Instead, some principles-based regulation would ensure a sustainable digital future for citizens and, importantly, help limit national security concerns and provide a transparent framework when governments seek access to data collected by the private sector.

The corporate world has sensed the changing tide of community expectations. Apple is selling its latest iPhone operating system based on its privacy-preserving credentials. Apple’s privacy settings are credited, in part, with wiping US$250 billion from Facebook’s value—although it isn’t yet clear whether Apple is truly invested in its users’ privacy, or if the move was designed more to harm its data competitors.

In the US, a new bipartisan bill, the Social Media NUDGE Act, aims to curb algorithmic recommendations by asking researchers to identify ways of slowing down the spread of harmful content. While this is a useful first step, more is likely to be needed to prevent people from being pushed towards dangerous disinformation—leading to echo chambers of increasing furore on micro-targeted issues. The potential for adversary nations to exploit algorithms in social media platforms to create or amplify internal divisions warrants serious consideration as an area for regulatory reform.

Article 17 of the EU General Data Protection Regulation enshrines a right for a citizen to request erasure of personal data in certain circumstances. In order to prevent the long-term profiling of Australians, and to mitigate privacy and national security risks, consideration should be given to replicating this regulation in Australia. A right to an annual data ‘reset’ might help balance the benefits (using the consumer’s current preferences) against the dangers (building a long-run profile to nudge people towards radicalisation).

Finally, consideration should be given to the extent to which the Australian government may supplement its direct collection of surveillance material with data from private companies. The Department of Home Affairs is currently consulting on a range of reforms to electronic surveillance, but makes little mention of whether that extends to obtaining data collected by corporations. The reform package should address this, including outlining an authorisation regime, establishing limits on the scope of the requests, and setting out the rights of the private company to refuse or contest the authority or scope of the request.